All Courses
Ultimate HTTP Warrior Ultimate DNS Warrior Ultimate Apache Web Server Warrior
Blog
About Contact

Qname Minimization

ultimate dns warrior Aug 07, 2025

 

This blog post aims to cover inconsistencies in the subdomain delegation process which can get exposed by a specific setting found on modern Resolvers: Qname Minimization

 

 

In this subdomain delegation setup the answer for www.staging.sydney.unw.com will depend on whether Qname Minimization is enabled or disabled on your Recursive Resolver.

 

With Qname Minimization Enabled: The answer will be:  10.6.6.6

When this feature is enabled the resolver sends only the next part of the label of the FQDN at every stage of iteration:

1st Query -->  com --> To the root NS
2nd Query --> unw.com --> To the com NS --> NS will send referral to ns1.unw.com
3rd Query --> sydney.unw.com --> To ns1.unw.com --> NS will send referral to ns1.sydney.unw.com
4th Query --> staging.sydney.unw.com --> To ns1.sydney.staging.com --> Will return nxdomain
5th Query --> www.staging.sydney.unw.com --> To ns1.sydney.staging.com --> NS will return 10.6.6.6

 

CloudFare's 1.1.1.1 has this feature enabled as of this writing and hence the our DNS name will resolve to 10.6.6.6:  

 

With Qname Minimization Disabled: The answer will be:  10.7.7.7

When this setting is disabled the resolver sends the full FQDN at every stage of the iteration: 

1st Query -->  www.staging.sydney.unw.com --> To the root NS
2nd Query --> www.staging.sydney.unw.com --> To the com NS --> NS will send referral to ns1.unw.com
3rd Query --> www.staging.sydney.unw.com --> To ns1.unw.com --> NS will send the longest (best) matching referral to ns1.staging.sydney.unw.com
4th Query --> www.staging.sydney.unw.com --> To ns1.staging,sydney.staging.com --> Will return 10.7.7.7

 

Google's 8.8.8.8 has this feature disabled as of this writing and hence it will resolve this DNS name to 10.7.7.7:

  

The fix:

Once a subdomain has been delegated, ensure not to create any records at the same level or below that level of hierarchy in the parent zone. All those records should go in the zone for the subdomain. 

Here is the simple and correct way of performing subdomain delegation: 

 

 

 

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.

Categories

All Categories ultimate dns warrior